Puzzle box: The quest to crack the world’s most mysterious malware warhead

It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran's totalitarian-esque government and its budding nuclear program. If this initiative wasn't stopped, there was no telling how far the growing conflict could escalate. So militaries from the two countries reportedly turned to one of the most novel weapons of the 21st century: malware. The result was Stuxnet, a powerful computer worm designed to sabotage uranium enrichment operations.

When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they're finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that's more destructive than anything the world has seen before.

Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran's nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans.

Gauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich Gödel, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It's also programmed to collect a dizzying array of information about the computers it infects—including its network connections, processes and folders, BIOS, CMOS, RAM, and both local and removable drives.

But the most intriguing characteristic of Gauss is an encrypted payload that has so far remained undeciphered, despite the best efforts of cryptographers who have already tried millions of possible keys. Tucked deep inside the Gödel module, the secret warhead is loaded onto USB sticks and removable drives when they're connected to Gauss-infected machines. When the drives are plugged into an uninfected computer later, the mysterious code is executed—but only if it encounters the specific machine or machines targeted by the Gauss developers. On every other computer, the module remains cloaked in an impenetrable envelope that prevents researchers and would-be copycats from reverse engineering the code. The extreme stealth has stoked speculation that the payload may contain a potent exploit that could rival the Stuxnet attack that was bent on destroying uranium centrifuges inside Iran's high-security Natanz enrichment facility. Certainly not your everyday malware.

"Considering the link with Flame and Stuxnet, the payload of Gauss must be of similar magnitude," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Given how careful the attackers were to make sure the Gauss payload doesn't fall into the 'wrong' hands, we can assume it is very special."

Built to last

Gauss is by no means the first malware with a payload that was programmed to remain dormant unless it was installed on computers meeting a narrow set of criteria. Stuxnet also contained code instructing it to destroy uranium-enrichment centrifuges only when they were physically located at Natanz. Researchers have theorized that the trigger was implemented to reduce the chances of collateral damage that might result if Stuxnet took hold in other facilities. (The precaution proved wise, since Stuxnet infected more than 100,000 computers scattered all over the globe.)

But as cryptographer Nate Lawson observed more than two years ago, the mechanism Stuxnet used to protect unintended targets from destruction was surprisingly crude for an otherwise advanced cyberweapon developed by countries with almost unlimited budgets. The coding techniques were largely limited to conditional "if/then" range checks that identified computers running German conglomerate Siemens's Simatic Step7 software inside Natanz. If an infected computer met the criteria, the sabotage payload was activated. If not, the exploit sat dormant.

Noticeably absent from Stuxnet was any kind of mechanism preventing researchers, enemies, or potential copycat programmers from peering inside the malware to see what the highly selective payload did. That's precisely what security experts such as Ralph Langner did following the Stuxnet discovery. Within a few weeks, the world had its answer: Stuxnet was a powerful cyberweapon unleashed by a well-resourced government bent on sabotaging Iran's nuclear program. While the developers may have taken care to prevent the worm from attacking other countries, they did little to conceal the true aim and methods of their malware, which attacked programmable logic controllers at the heart of the enrichment process.

"Encrypting your payload so that only the intended target can decrypt it hides both the identity of the victim and the worm's purpose," Lawson recently told Ars. "If Gauss came after Stuxnet, it's clear the authors disliked the publicity its PLC [programmable logic controller] payload received and made an effort to hide it properly the second time."

The notion of software containing a "secure trigger" isn't new either. Scientists such as Fritz Hohl theorized about it as early as 1998 in a paper titled "Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts." Researchers from security firm Core Security expanded on the idea eight years later in a paper titled "Foundations and applications for secure triggers." The idea was to use strong cryptography to ensure a piece of code or content remained secret until a particular event occurred. Once the preselected condition was met—and only if it was met—the concealed payload was automatically disclosed or executed. Otherwise it remained locked inside an impenetrable vault.

118 Reader Comments

So militaries from the two countries turned to one of the most novel weapons of the 21st century: malware.

I think there should probably be an "allegedly" in there somewhere. The evidence all seems to be pointing there, but I don't think it has been officially admitted yet other than some anonymous sources.

Or it's a deliberately uncrackable payload intended to keep researchers (especially counter-espionage researchers) busily looking the wrong way tacked into the framework of other attacks to ensure it got found.

now some of that was over my head( I code games in my free time, not cryptology lol).

but where you said part of the payload check, vs a specific file path to see if a certain piece of software is installed, couldn't it be set to a seemingly random directory structure, so that it can be activated by a second piece of malware at a later date?

if I were to deliberately release something like, but didnt want a "friendly fire" incident I would do it as such.

sure you it means you have to deliver a second piece of software, but the second piece if it was only generating a directory structure wouldn't be that difficult to get past a virus scanner, so a directly marketed malware drive( eg email to users of a certain location in large amounts) would be easier(comparativly speaking) to get onto the target.

doesn't help cracking it much, but if they restrict to "known" directory structure they may never find it

I wonder if they'd have luck simply asking some of the likely targets (Iran) if they'd want to help. Something like "hey Iran, could you run a simple tool that gathers directory structures on a bunch of your internal systems?".

-The security researchers would gain insight and probably figure out whatever zero-days this thing has cobbled together, thus making the computer world safer.-The Iranians would gain insight into what is targeted, and could probably avoid the hack altogether. If they worked with Kaspersky, it is possible they'd be somewhat confident the request for directory structures wasn't a western trap.

The main obstacle would be the math Iran would have to confront:-Probability of info-gathering-tool being malware * cost of a hack that way vs-Probability of gauss being targeted at them * cost of a hack that way

I wonder if they'd have luck simply asking some of the likely targets (Iran) if they'd want to help. Something like "hey Iran, could you run a simple tool that gathers directory structures on a bunch of your internal systems?".

-The security researchers would gain insight and probably figure out whatever zero-days this thing has cobbled together, thus making the computer world safer.-The Iranians would gain insight into what is targeted, and could probably avoid the hack altogether. If they worked with Kaspersky, it is possible they'd be somewhat confident the request for directory structures wasn't a western trap.

there's laws out there to prevent this kind of collaboration.

sanctions cover more than just physical items.

that said, I didn't go and try to find all the sanctions out there, since we're talking about Russia

The payload is a full install of Windows ME, complete with a rickroll.

Makes you wonder how much other more stealthy malware is out there, not to mention deliberate backdoors in popular OSs, given that these exploits seem to have the blessing and resources of major governments behind them...

Yeah, if thousands of infected machines have been identified, wouldn't it make more sense to try and get their hands on one of them, instead of just attacking the crypto (I know challenges are fun, but...)? I really doubt the thing has such pinpoint accuracy that literally every single infected box is located someplace inaccessible.

On the other hand if the trigger was an existing configuration, there seems to be a defense. It should be possible to write a program to do the hashing and decrypting on a particular machine without running the decrypted code, but just to determine if all the criteria is met. If so, that environment is the target. I wouldn't expect the target to publicize either that fact or the payload though.

Yeah, if thousands of infected machines have been identified, wouldn't it make more sense to try and get their hands on one of them, instead of just attacking the crypto (I know challenges are fun, but...)? I really doubt the thing has such pinpoint accuracy that literally every single infected box is located someplace inaccessible.

You mean the machines that Iran almost certainly has been using for its illegal weapons program?

"never trust a person who as worked for less than a year"... so since that payload needs to be Delivered via USB stick, there is a person that is working in the targeted "operation", Biding the time for when (s)he needs to going to action and place the usb stick...

Because this is almost definitely an attack against a nation-state, the intended target would have the best chance of decrypting the payload because they would know their own environment. If we assume that Iran is the target, prior malware attacks may have revealed some proprietary "in house" application at Natanz or another facility. Gauss is then targeting machines with that PATH variable, and the application wouldn't even be known outside of Iranian nuclear circles. That would leave Iran as the only country capable of decrypting Gauss's module, and I'd say two things are certain: 1) they're working on that goal right now, and 2) if they crack the payload they won't be announcing it.

Yeah, if thousands of infected machines have been identified, wouldn't it make more sense to try and get their hands on one of them, instead of just attacking the crypto (I know challenges are fun, but...)? I really doubt the thing has such pinpoint accuracy that literally every single infected box is located someplace inaccessible.

Thing is just as with Stuxnet, just because the machine is infected doesn't mean it's a target machine for the payload. Most of those infected machines with Stuxnet were just intermediary carriers used to propagate the worm to its intended target. More than likely, the same holds true for Gauss.

Yeah, if thousands of infected machines have been identified, wouldn't it make more sense to try and get their hands on one of them, instead of just attacking the crypto (I know challenges are fun, but...)? I really doubt the thing has such pinpoint accuracy that literally every single infected box is located someplace inaccessible.

I think the point really is that plenty of machines are infected, but only the secret (targeted) machines have the necessary code unpacked and executed. So if you don't really know where to look, and what you're looking for exactly (though the font helps), your odds of success are pretty low.

Just a guess but I'm betting the payload will fire when it sees a certain type of software that is used for targeting on certain launch systems. I am also betting it looks for a type of firmware with guidance systems and overwrites it, which could lead to a catastrophic launch failure. I guess we just look for the boom?

Although this method of obfuscation is effective at preventing law-abiding people from reading the payload other nations or criminals could deploy a different virus that infects a large number of machines to try and find out the correct program name.

Given the cryptographic hurdles being found this might be the simplest and easiest option so perhaps the authors merely intended to disguise the purpose of the payload from public researchers.

Or it's a deliberately uncrackable payload intended to keep researchers (especially counter-espionage researchers) busily looking the wrong way tacked into the framework of other attacks to ensure it got found.

I wouldn't be surprised if the font is exactly that, a head fake to screw with researchers minds.

Path variable decrypts to C:\Program Files\Electronic Arts\SimCity.Modules are underground fixes/mods; the coding is too good for EA ...

In other news, Iranian counter-terrorist agents have announced that they have solved the problem: "We know who did it - damn German mathematicians - wrote the code and then 'conveniently' died. As if! They're not so smart - they signed the code!" The German government has yet to respond, though the German Department for Applied Mathematics and Anti-Islamic Activites released the following statement: "It's an underground mod for SimCity that makes all of the sims nude..."

So why, exactly, are we trying to crack this and tell Iran what to look for to protect themselves? Methinks that if Kasparsky Labs wants to stay relevant they might want to watch out. The next worm aimed at Iran might just have a side payload for them.

Because Kaspersky is a Russian company, I am sure they have enough "protection" on that side. In addition, Iran has been an ally of Soviet Union back in the days (how do you think all that infrastructure appeared there in the first place?) - a friendship that has been mainly taken over by Russia.

Besides, what tangible results would the virus creators achieve if they attack Kaspersky (the original Stuxnet was discovered by a Belarusian company VirusBlokAda, by the way)?

This is a good PR move for Kaspersky more than anything else, because I'm sure they aren't the only ones delving so deep into the code.